Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
In June 2025, Microsoft announced that, in June 2026, it would begin discontinuing Secure Boot certificates for Windows systems starting in 2011, which were replaced by their counterparts for 2023.
With the countdown down, it’s time to do some house cleaning to prevent potential problems later this year. If you have a system managed by your company or school, this process must be handled by your system administrators, which is different from personal computers.
What are certificates for?
Together, these four Certificates verify that the system’s initial boot processes – the software that is loaded directly by the system even before Windows starts – have not been tampered with.
It is used before Secure boota standard platform built into the firmware of all modern Windows systems and enabled or disabled by the Unified Extensible Firmware Interface, which is enabled by default. A mismatch does not necessarily mean that malicious code was loaded or executed, but only that the system cannot rule it out.
When does this happen?
The validity of the certificates will begin in June 2026 and continue until October 2026.
Which versions of Windows does this apply to?
In general, this will apply to all Windows 10 builds 1607 or later and Windows 11. (You can find Detailed lists On the Microsoft website.) But to receive certificate updates for Windows 10, you must sign up for Extended Security Update Program.
What should I do?
Maybe nothing. In many cases, these updates are likely already up to date: Windows will update them automatically as long as Secure Boot is enabled, and the automatic updates are scheduled to continue throughout the year.
However, you may want to verify by checking the current version.
Unlike virus definition updates, which cannot be stopped, certificates are part of the regular update process and can be paused. They are BIOS updates. How to find current versions varies, so you may have to do some searching.
But updates are starting to roll out in 2024, so if you have a recent version of the BIOS, which is much easier to check, you should be fine. (Paste msinfo32 into the Windows Start menu search field, and the BIOS date will be listed, for example.)
If you are adjusting the settings to reduce the update frequency, you should make sure that you are not somehow able to skip it. If Secure Boot is disabled, it may not have been updated either.
If you have a system that you haven’t run in a while, it’s probably worth it to boot it up and update it just to avoid future problems.
What if they are not current?
After making sure Secure Boot is enabled and running Windows Update, if those updates are still incorrect, you’ll likely need to find instructions for your computer or motherboard (if you’ve built your own). Microsoft availability Links to a handful of manufacturers.
What happens if I don’t update?
Expired certificates will certainly prevent Windows from keeping its runtime security features and databases up to date, which could expose your system to vulnerabilities. But the certificates check and identify only that code that does not match what you expect to see.
They do not prevent code from being loaded or executed. Instead, other layers of software determine how to respond. The response can be anything from simply triggering a notification in Event Viewer to potentially interfering with the way the program runs (such as Windows BitLocker disk encryption), which is determined by what is installed on your system and which Windows features are enabled.
For example, an enterprise-managed laptop tends to have multiple layers of security, which may prevent you from doing almost anything, while a personal system may only shrug with a metaphorical shrug. If Secure Boot is disabled, nothing will be affected.